It is emblematic of the interconnectedness of today’s world that the imminent entry into force on 28 May of the EU’s General Data Protection Regulation (GDPR) is a matter of real significance for Kiwi businesses. By Tracey Epps.
The GDPR is a new system of personal data protection requirements adopted in the EU (like New Zealand’s Privacy Act, but on a larger scale and with tentacles that reach across the world).
It applies to businesses that collect, store or use personal data (data controllers), and those that process data on behalf of a controller (data processors). New Zealand-based exporters will be captured if they offer goods or services to individuals in the EU (e.g. through a website) or monitor individuals’ behaviour (e.g. purchasing preferences) in the EU.
The GDPR’s requirements go beyond those in New Zealand’s Privacy Act, meaning it is not sufficient to simply comply with domestic legislation. The GDPR requires businesses to comply with:
• Fundamental principles of data processing, including that it is lawful, fair and transparent; and that data is collected only for specified, explicit and legitimate purposes;
• Accountability and governance rules, including that data controllers must integrate data protection into their processing activities, and have a data protection officer (DPO) if their core activities involve processing operations requiring regular and systematic monitoring of individuals on a large scale, or processing of sensitive information on a large scale;
• At least one of the conditions for processing personal data in Article 6, including where the individual has provided consent, and where processing is necessary for the performance of a contract to which the individual is party;
• A requirement that, if consent is required, it be (among other things) freely given, specific and informed, and that there be an unambiguous indication of the individual’s wishes; and
• Rights owed to individuals, including to receive specified information about the processing of their personal data free of charge, “to be forgotten” (i.e. to have data deleted in certain circumstances), to restrict and object to processing in certain circumstances, and “data portability” (the right to receive personal data that they have provided to a controller, and to provide that data to another controller).
Consequences of a breach
A serious breach of the GDPR could cost a business up to four percent of its annual global turnover for the previous financial year, or €20 million (whichever is greater). Individuals suffering damage (e.g. reputational damage, identity theft) due to a business’ breach of the GDPR will also be able to seek compensation from that business.
What should NZ exporters do?
Compliance with the GDPR is important to ensure protection of reputation and brand, and minimise any risks of fines and sanctions for breach. New Zealand exporters should, at a minimum:
• Determine if they fall within the GDPR’s scope;
• Confirm what data they hold, where it is coming from and where it is going;
• Identify if they are relying on consent to process personal data and if so, review processes for obtaining consent to ensure compliance;
• Review privacy policies and processes and identify areas where these may need to be updated to comply with GDPR;
• Ensure that notices to customers about how privacy is processed meet the GDPR’s requirements, including that they are concise, transparent, intelligible and easily accessible;
• Conduct due diligence on any suppliers that process personal data with or on behalf of the business to make sure there are adequate protections in place in accordance with the GDPR; and
• Regardless of whether a DPO is required, all businesses should ensure someone is responsible for data privacy issues.
Where to get further information:
NZTE has published information on the GDPR, see here: https://www.nzte.govt.nz/about/news/news-and-features/new-european-data-privacy-rule-could-cost-4-of-turnover; the EU also provides a summary, see here: http://ec.europa.eu/justice/smedataprotect/index_en.htm#mobile-menu. Ultimately however, New Zealand exporters should obtain professional legal advice that considers their specific circumstances.
Tracey Epps is a trade law consultant at Chapman Tripp, Wellington. Email: [email protected].
